Skip to content
epitometool

htpasswd generator

Security tools

Create htpasswd-compatible credential lines for basic-auth protected routes.

Updated

Credentials

htpasswd output

Quick start

How to generate htpasswd lines

Provide username and password to create an htpasswd entry.

  1. Step 1
    Enter credentials

    Set username and password.

  2. Step 2
    Generate line

    Create salted credential line.

  3. Step 3
    Save

    Append line to protected auth file.

In-depth guide

htpasswd files: protecting Apache and Nginx routes with Basic auth

An .htpasswd file is the credential store behind HTTP Basic authentication on Apache and Nginx. Each line maps a username to a hashed password, and the web server checks incoming credentials against it before serving a protected path. This tool builds those lines in your browser so you can drop them straight into a server config.

The line format

Every entry is username:hash on its own line. The hash is salted, so two users with the same password still get different hashes. Apache historically used its own bcrypt or MD5-crypt variants; modern setups prefer bcrypt because it is deliberately slow and resistant to brute force.

How to use this tool

  1. Enter a username and password and copy the generated line.
  2. Paste it into your .htpasswd file (run the tool again per user and append each line).
  3. Point your server at the file — AuthUserFile in Apache, or auth_basic_user_file in Nginx — and reload.

When to use it vs alternatives

htpasswd is perfect for locking down a staging site, an internal dashboard or a single admin path with minimal moving parts. For real user accounts, password resets or roles, use an application-level auth system or an identity provider instead — a flat file does not scale to that.

Security and privacy

Serve the protected path over HTTPS and keep the .htpasswd file outside the web root so it can never be downloaded directly.
  • Avoid default or shared credentials — each user should have a strong, unique password.
  • Rotate entries when someone no longer needs access; there is no session expiry with Basic auth.
  • Privacy: hashing happens locally in your browser and the password is never uploaded.

Common pitfalls

  • Check the result before replacing the original input.
  • Watch for unit, format, encoding, and browser memory limits on large inputs.
  • Keep a copy of important source material until the output is verified.

Frequently asked questions

What output format does this produce?

A username:hash line compatible with Apache and Nginx .htpasswd files, where the hash is salted so identical passwords still differ between users.

How do I add several users?

Generate one line per user and append each to the same .htpasswd file. Each line is independent.

How do I wire it into my web server?

Point AuthUserFile at the file in Apache, or auth_basic_user_file in Nginx, then reload the server so the protected path requires the credentials.

Which hash should I use?

Prefer bcrypt where your server supports it — it is deliberately slow and resistant to brute-force, unlike the older MD5-crypt or crypt formats.

Where should the .htpasswd file live?

Outside the web root so it can never be downloaded directly, and serve the protected path over HTTPS so credentials are not exposed in transit.

Does the password leave the browser?

No. The hash is generated locally and the password is never uploaded.

Keep exploring

More tools you'll like

Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.

More security tools

See all →

Popular across EpitomeTool

Browse all →
Browse all 212+ free tools